Photo from my first day of work in Chicago
Being a hacker for a living sounds cool to any teenage kid. I was one of those kids. Going onto a computer, typing in a bunch of commands, and gaining access to some information because of the skills that you have sounds awesome. Sure I thought it would be more like the Matrix than I would later find out, but either way, I had a dream. The problem is no one actually tells you how to be a hacker. There is no high school course on hacking or computer security, especially in 2006.
There were many google searches back then on "How to be a hacker." Many of those searches I can imagine infected my computer to the point I could no longer play RollerCoaster Tycoon, but I continued my search. I learned about the conferences like Defcon as I got older and hacking sites like hackthissite to practice my limited knowledge of bypassing javascript. But still had no idea what you even had to do to pursue a career like that.
By the time I was 18, I was going to the conferences like Defcon and later Thotcon in Chicago. I still had this question "How do I become a penetration tester." If you're still new to all of this, it's a very intimidating question to ask at one of these conferences because you don't want to look like the guy that doesn't know anything. I got all kinds of answers when I mustered the courage to ask someone that question. I was told I needed to start as a network administrator for a year; I was told you have to get an internship, and I was told I needed a master's degree. For those people, that was probably true, but for me, it went something like this.
I'll quickly touch on College. My thought is that a degree in computer science or something similar may get you past HR, but it will never get you a job on its own. Through all the interviews that I have had in IT, my college degree is barely ever mentioned. Employers care about your knowledge, as shown during whiteboarding exercises or your portfolio. If you don't have a degree but want to get into computer security, nothing is holding you back. I have worked with people that had degrees in philosophy and English, and one was a retired Ophra singer. A college degree means nothing in this field except for a large company that may require a degree for all applicants.
I started my career after college not in security but as a developer. I still dreamed of security, but I had no clue where to get my foot in the door, and I thought being a developer would be a good start. I was a Java developer for a small company right after college, and from there moved to a startup doing enterprise analytics and finally got a job doing Android development. All of this happened in the span of about five years. While not a requirement for the job, I think my experience in programming paid off a lot later on. Knowing how to program in just Python, for example, makes life easier as a pen tester. Understanding how to modify exploits, normally written in python or Ruby, can save you work hours. Also, writing small programs can help with such things as enumeration for anything specific.
While working, I also got into Capture the Flags aka CTFs. If you're unfamiliar, these are jeopardy-style challenges that happen online almost every weekend. The challenges are in different categories, such as cryptography, reverse engineering, or web pwning. While there aren't many real-life examples in these contests, the concepts translate well in learning computer security. During this time, I focused on the cryptography challenges and identified different algorithms and hashes. At the end of these contests, people will post write-ups on the solutions. While the CTFs can be very frustrating, they are great learning opportunities for people new to the field and something to add to your resume showing that you're passionate about security.
Towards the end of my time doing Android development, I was focused a lot more on getting a job in security. I wanted to prove I had some knowledge in the form of a certification as it can be put on my resume. I settled on the CompTIA Security+ certification, a vendor-neutral certification targeting entry-level professionals. I studied for this exam during COVID and was able to take the proctored test at home.
A short while after I passed my certification, the company I was at hosted a CTF challenge for all the employees. Although I haven't done one in a few years, at this point, I was more than familiar with the style of challenges. I signed up for the CTF and started as soon as work was over. One by one, I slowly completed the challenges checking back to the leaderboard every time I got another point. I sat on the floor of our bedroom while my fiance at the time was sleeping. I finally called it quits at about 4 am, sitting in 4th place. I woke up early with a fresh mind and could complete a few more to move into 3rd place, where the contest ended. I finished the CTF in 3rd place with the entire application security team in 2nd by a few points. My goal was to get noticed, and I sure got noticed.
As I mentioned, this was during COVID, and as such, many companies were moving employees around and doing different roles. I was one of those. The computer security team allowed people to split their work and help on the side. I saw this as a great opportunity to get to know the team and see how I could move over someday to work with them full-time. I was given small tasks and helped out whoever I could slowly, my work became more and more related to security. Once the new year started, they offered me a position on the penetration testing team.
Although I have achieved my childhood goal of being a Penetration tester, my craving for knowledge in the field has not stopped. I continue to study slowly for the OSCP exams as life tends to get in the way. I also started this blog to share what I have learned. For fun, I will sit and watch hacking tutorials or do labs on TryHackMe. This career is very much a lifestyle, and while there is no one way to become a Penetration tester, I hope my experience can help you pursue your goals in the future.
Comments